CVE-2018-3909
Description
An exploitable vulnerability exists in the REST parser of video-core's HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The video-core process incorrectly handles pipelined HTTP requests, which allows successive requests to overwrite the previously parsed HTTP method, 'onmessagecomplete' callback. An attacker can send an HTTP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An HTTP request smuggling vulnerability in the Samsung SmartThings Hub STH-ETH-250 (firmware 0.20.17) allows an unauthenticated, network-adjacent attacker to overwrite parsed HTTP methods and callbacks, potentially leading to arbitrary code execution.
Vulnerability
The REST parser of the video-core HTTP server within the Samsung SmartThings Hub STH-ETH-250 (firmware version 0.20.17) improperly handles pipelined HTTP requests [1]. Successive requests can overwrite the previously parsed HTTP method, URL, and body, and corrupt the 'onmessagecomplete' callback [1]. This is a CWE-444 HTTP request smuggling vulnerability [1].
Exploitation
An attacker with network access to the hub can send a crafted sequence of pipelined HTTP requests without authentication [1]. By exploiting the improper handling, the attacker can cause the video-core process to misinterpret subsequent requests, potentially allowing injection of unexpected commands or control flow manipulation [1]. No user interaction is required beyond the hub being active on the network.
Impact
Successful exploitation allows the attacker to influence the HTTP parsing state, which can lead to arbitrary code execution in the context of the video-core process or other unintended behavior with high integrity and availability impact [1]. The CVSS v3 base score is 9.1 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H [1].
Mitigation
Samsung released firmware updates addressing this issue after the disclosure by Cisco Talos. Users should update the SmartThings Hub to the latest firmware version available via the SmartThings mobile application or official support channels [1]. There is no publicly documented workaround for this specific vulnerability. The CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =0.20.17
- Talos/Samsungv5Range: Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `on_message_complete` callback overwrites the stored HTTP method on every invocation, so pipelined requests cause the method from the last request to replace the method from earlier requests."
Attack vector
An attacker sends a single TCP connection containing two pipelined HTTP requests. The first request carries the intended path (e.g., `PUT /cameras`), and the second request carries a different method (e.g., `GET /00000000-...`). Because the `on_message_complete` callback overwrites the stored method on each invocation, the server processes the path from the first request with the method from the second request, bypassing access controls or triggering unintended state changes [ref_id=1]. No authentication is required; the attacker only needs network access to the hub's video-core port (3000).
Affected code
The vulnerability resides in the `on_message_complete` callback (`sub_415F4`) within the video-core HTTP server. At offset `[5]` (`STR R12, [R3,#0x20]`), the parsed HTTP method is written to a custom structure, but this field is overwritten on each invocation without regard for pipelined requests.
What the fix does
The advisory does not include a patch diff. The recommended remediation is to fix the `on_message_complete` callback so that it does not blindly overwrite the stored method when processing pipelined requests. Instead, the server should either reject pipelined requests entirely or maintain a per-request method context so that each request's method is preserved independently [ref_id=1].
Preconditions
- networkNetwork access to the video-core HTTP server on port 3000 of the Samsung SmartThings Hub STH-ETH-250
- configThe target hub must be running firmware version 0.20.17
Reproduction
Send a single TCP connection with two pipelined HTTP requests. For example: `echo -e "PUT /cameras HTTP/1.1\r\n\r\nGET /00000000-0000-0000-0000-000000000001\r\n\r\n" | nc 127.0.0.1 3000`. The server will process the path from the first request with the method from the second request, as shown in the Talos PoC [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2018-0577mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.